AD FS update Password Page – Add a Captcha

On AD FS, a specific Endpoint called /adfs/ls/updatepassword is present and disable by default, this endpoint allows you to provide a page for your users to update their password.

You can choose to provide this page only for Internal users, but if you choose to enable this endpoint on Proxy, it becomes publicly accessible from the Internet.
And so, attackers can try to do brute force on it.

One way to guard against this is to set up a captcha feature.

Create a new AD FS Web Theme

To be able to customize some scripts used by AD FS, we first need to create a new dedicated Web Theme.

Open PowerShell with administrator rights, and type the following commands:

New-AdfsWebTheme –Name custom –SourceName default

This command create a new theme named custom based on the default theme.

Export-AdfsWebTheme –Name default –DirectoryPath c:\ADFStheme

This command export theme elements for default theme to your selected path.

Edit onload.js file

Go to the exported folder path, in our example C:\ADFStheme\ and go to script folder.
Edit the onload.js file with the following code:

if(window.location.href.indexOf("adfs/portal/updatepassword") != -1) {
var updatePasswordFormElement = document.getElementById("updatePasswordForm");
var headerElement = document.getElementById("header");
var introductionElement = document.getElementById("introduction");
if (updatePasswordFormElement){ = "none";
if (introductionElement) {
	var iDiv = "<br /><br /><br /><div id='captchaForm' class='captchaForm'><form name='review' ACTON='#' METHOD='GET' onsubmit=\"return checkform(this);\"><font color='#000000'>For security reasons please retype this code <br /><br />Enter code: </font><span id='txtCaptchaDiv'style='background-color:#0000ab;color:#FFF;padding:5px;margin:10px'></span><input type='hidden' id='txtCaptcha' /><input type='text' name='txtInput' id='txtInput' size='6'/><span id='txtCaptchaDiv' style='margin:10px'></span><input type='submit' value='Submit'/></form></div>";
		introductionElement.innerHTML += iDiv;
	if ( == "goodCaptcha"){
		var captchaFormElement = document.getElementById("captchaForm");
		var updatePasswordFormElement = document.getElementById("updatePasswordForm"); = "none"; = "block";
	//Generates the captcha function
	var a = Math.ceil(Math.random() * 9)+ '';
	var b = Math.ceil(Math.random() * 9)+ '';
	var c = Math.ceil(Math.random() * 9)+ '';
	var d = Math.ceil(Math.random() * 9)+ '';
	var e = Math.ceil(Math.random() * 9)+ '';
	var f = Math.ceil(Math.random() * 9)+ '';
	var code = a + b + c + d + e + f;
	document.getElementById("txtCaptcha").value = code;
	document.getElementById("txtCaptchaDiv").innerHTML = code;

function checkform(theform){
var why = "";
if(theform.txtInput.value == ""){
	why += "Security code should not be empty.\n";
if(theform.txtInput.value != ""){
	if(ValidCaptcha(theform.txtInput.value) == false){
	why += "Security code did not match.\n";
if(why != ""){
	return false;
} = "goodCaptcha"

// Validate the Entered input aganist the generated security code function
function ValidCaptcha(){
	var str1 = removeSpaces(document.getElementById('txtCaptcha').value);
	var str2 = removeSpaces(document.getElementById('txtInput').value);
	if (str1 == str2){
		return true;
			return false;

// Remove the spaces from the entered and generated code
function removeSpaces(string){
return string.split(' ').join('');

This is just an example of what you can do with script integration, but you can develop your own code or directly called the Captcha API.
My example is just based on 6 numeric characters, we can of course do much more complex.

Apply the our custom js to our custom AD FS Web Theme

Open PowerShell with administrator rights, and type the following commands:

Set-AdfsWebTheme -TargetName custom -OnLoadScriptPath "c:\ADFStheme\script\onload.js"

This command apply our new onload.js to our custom theme named custom

Set-AdfsWebConfig -ActiveThemeName custom 

This command will apply our new theme named custom a Active Theme on AD FS

Check the result

Open a browser session on go to the update password page of your federation service

Users now need to enter the displayed Security code, before being allowed to change their password.